On 04/01/2014 01:42 PM, Kim Lawson-Jenkins wrote: >> I read on a SELinux-related blog that unconfined_r should be mapped to >> staff_u when removing the unconfined domain, so I didn't remove >> unconfined _r for all of the SELinux users. Should I remove unconfined_r > for staff_u? > > That doesn't make sense. Can you cite this blog? > > http://selinux-mac.blogspot.com/2009/06/selinux-lockdown-part-eight-unconfin > ed.html It looks like his example was for the case where you remove only the unconfined module, not unconfineduser. I think you at least need to update /etc/selinux/targeted/contexts/failsafe_context to use a different context if fully removing unconfined_r/unconfined_t. And certainly Red Hat isn't testing that scenario. > Kim's response - I'm updating a policy for an application that ran on RHEL5 > using the then-supported strict policy. I read that removing the unconfined > domain will make the newer systems operate as the old strict policy, so I > went with this method for updating the policy. I hadn't heard about using > mls as an alternative to removing the unconfined module. The mls policy has always been strict policy + MLS (instead of MCS). Whether or not the specific -mls package that your distribution includes has everything you need I don't know.
